That's not how it works in real life.
You see, we don't live in a caper movie. Today's cybercrime is done wholesale. It's done by dull people from their homes, often in Eastern Europe, with constant and continuous automated sweeps of the internet for vulnerable people and businesses. They wouldn't know you from Adam.
For example, according to email security company Valimail, more than three billion phishing email messages are sent out every day. That's "B" as in billion.
You may think, "How can anyone fall for a phishing message?" Easy. They often appear as if they're from someone or an organization you already trust or know. For example, Amazon, eBay, and PayPal are often spoofed by phishers.
Phishing campaigns are also trivial to run. The people behind the fake PayPal credit card offer in your e-mail don't have to know the difference between a byte and a bit. They just get an automated phishing kit, a list of e-mail addresses, and let it rip.
Even, spear-phishing, which is when an attacker targets you in particular using data about you or your company, can be automated. All those endless security breaches, such as the 280 million Microsoft customer records stolen in January 2020, have given the cyber-criminal underworld all the data they need to automatically generate "personalized" messages.
It's not just e-mail, by the way. Every day in every way your online presence is under constant attack. For example, my tiny business, Vaughan-Nichols & Associates, maintains a simple WordPress site that does nothing except store archives of my older stories and links to my newer ones. Care to guess how often it's attacked? My little nothing website averages about 500 attacks a day.
If your business site has an e-commerce component, I guarantee you'll get many times more attacks than mine does. My site's safe, but then security is one of the things I do for a living. If you don't have someone keeping the wall around your Internet presence in good repair, odds are if you haven't been hacked yet, you will be.
In addition to everyday web attacks, how good have you and yours been at keeping the rest of your Internet-facing software patched and up to date? The answer appears to be that all too many small business owners do a lousy job of it.
For instance, the recent Microsoft Exchange hack hit hundreds of thousands of standalone Exchange servers. Heck, F-Secure security researchers have found that even now, weeks after the hack, tens of thousands of sites around the world still haven't patched their Microsoft Exchange Server. In fact, as F-Secure senior security consultant Antti Laatikainen said: "They're being hacked faster than we can count. Globally, this is a disaster in the making."
Actually, this already is a disaster.
You see, simply patching Exchange isn't enough. You must remediate your e-mail accounts and storage as well. For starters, everyone — and I mean everyone — needs to reset their passwords, and it only gets more complicated from there.
Again, there was no need to target you in particular. Dozens of crooked scanning programs are looking for any vulnerable Exchange server. On top of that, anytime a zero-day security vulnerability is announced, the dark web's scanning services offer their criminal users access to new scanning tools looking for anyone who hasn't yet patched the latest vulnerability.
No one likes to deal with security. It costs money to do it right. It takes a lot of work to do it right. It's no fun doing it right. But, if you don't, your business is living on borrowed time. It's never, "Will you be attacked?" or even, "When will I be attacked?"
Without hard security work, it's going to be: "When will I fall to a successful attack?" |
