Ran across this Oct, 2016 article over the weekend.


The U.S’ National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyber attack. According to the Ponemon Institute, the average price for small businesses to clean up after their businesses have been hacked stands at $690,000; and, for middle market companies, it’s over $1 million.
60% of small companies that suffer a cyber attack are out of business within six months. – The Denver Post (http://www.denverpost.com/2016/10/23/small-companies-cyber-attack-out-of-business/)

It coincides with other articles and reports that I've been reading over the last couple of months that hackers are targeting small businesses more than ever because they are easy targets.

From my own observations, the average small business has the attitude that they have nothing a hacker would want, so it's not important enough to worry about. This line of thinking is dangerous and it's why small businesses keep getting picked off.

1. Most think "hackers" are all state sponsored, organized groups who create elaborate programs to force their way into a network with DDOS attacks, and only go after big targets. That is not true. Most hackers are small time individuals who have learned how to use basic software to make your life a living hell to make some money. Most exploitation software is open source and free to download. You just need to learn how to use it...which anyone can do on You Tube.

Anyone within reach of your wifi can hack you. But most attacks happen because people unwittingly let them in via phishing, spear phishing or other social engineering tricks.

2. No understanding about what is valuable.

I talked to one of my clients about their security last week. They're developing proprietary software and hardware for virtual reality. They assured me that all of their designs and proprietary info is properly secured. Awesome. I asked what about their employee records, contact lists and information, investor info and accounting?

They asked why would anyone be interested in that?

A few weeks ago it was reported that a small business in Cincinnati, a medical office was hacked. You know how they discovered it? Employees started filing their taxes and getting denial letters stating that their taxes had already been filed and paid out.
http://www.bizjournals.com/cincinnati/news/2017/03/16/cincinnati-doctor-group-s-employee-information.html

Small businesses are easy targets because most have no security, aren't concerned about it, and a decent hacker can make a good score just by stealing the info of 10 people, and 10 people they know and so on.

Bottom line, if you're in business and use computers to run that business, it's not just about your personal security, you have an obligation to everyone who's information you have on your system including clients and employees.

I know it feels like I'm always sounding this alarm, but small businesses are now the majority or reported hacks to an estimated tune of 4k attacks a day. It's a blood bath out there and hackers are picking people off left and right. Do you think ANY law enforcement agency has the manpower to investigate 4k hacks a day? Even if they did, they can't catch every perpetrator in countries from all over the world.

It's going to be up to you to learn, and protect yourself. The government or Google is not coming to the rescue with an easy button to solve this.


Is anyone concerned? Has anyone started learning more about protecting themselves?
Just curious where everyone is on this, and why they think it is or isn't that important?

Hmmm, I bet most of them used VERY cheap programmers using WordPress because it is "easy" and not knowing how to secure it properly.

Hmmm, I bet most of them used VERY cheap programmers using WordPress because it is "easy" and not knowing how to secure it properly.

Well, I'm not really talking about website hacks which happen to everyone regardless of size or software. This is more about network, computers and critical systems, or just your laptop being hacked. Most small businesses don't host their own website on their own servers so there's no connection to bridge from one to the other.

If I wanted to siphon info from your Human Resources files, banking info, or QuickBooks program with all your client's info in it... I wouldn't target your website. I would target you or your employees. it's also easier to hack your website the same way. Targeting the users. Not the server.

Website security is a different thing that I could also talk about till I'm blue in the face. It's not very hard to secure a WordPress website from the most common attacks. Has nothing to do with programmers. It's about how educated you are on using the tools available to you, and staying vigilant. Most website owners, regardless of what software it's on, want to "set it and forget it", which isn't realistic for any technology.

I deal with hacked WordPress sites all the time, and it's 50/50 user error and weak hosting. When you buy the cheapest hosting possible, you get the cheapest hosting possible. You can stop most amateurs in their tracks when they can't find your log in file. Just that one change can cut down brute force tries to almost nothing. Yet, just about every WordPress site I go to has the front door wide open and hosting companies and companies like SiteLock do NOTHING to secure that one thing.

Also when you use the same email and similar password all over the internet, you're eventually going to get hit. It's inevitable.

Most small time hacks happen because people just don't know that they are being careless. We're all kind of still using the rules that we learned when we first got online ( which were very few) and the only thing we know about security is having a strong password..and then of course we use the same or simular one across the entire internet.

My point is, you can't just sit back and blame WordPress or Go Daddy or Facebook. You have to take an active role in your security and prepare your business to prevent disaster. No one is coming to save us. The little guys is the biggest target these days.

I know it feels like I'm always sounding this alarm, but small businesses are now the majority or reported hacks to an estimated tune of 4k attacks a day. It's a blood bath out there and hackers are picking people off left and right. Do you think ANY law enforcement agency has the manpower to investigate 4k hacks a day? Even if they did, they can't catch every perpetrator in countries from all over the world.

It's going to be up to you to learn, and protect yourself. The government or Google is not coming to the rescue with an easy button to solve this.


Is anyone concerned? Has anyone started learning more about protecting themselves?
Just curious where everyone is on this, and why they think it is or isn't that important?

Those of us in the know are security fanatics because the threats are very real. Most of the population at large, including small businesses like you said, don't realize just how real these threats are go about their day in oblivious bliss. And like your also said, 4k a day get a sudden reality check.

Just to add...

The most common form of hacking/disruption is ransomware. A script that takes over your server, or all the computers on your network ( whether that be 1 or 1k) and locks you out by either changing all your permissions and passwords, or encrypting your files so that you can't access them.

The perpetrators then want a fee ( or ransom) to give you the unlock key so that you can get back in. Usually paid in bitcoin. Thousands of businesses big and small in America and around the world get hit by this EVERY WEEK, and even banks are now keeping bitcoin reserves to help customers pay ransom. If that doesn't tell you there is no fix coming, and no way to stop it, nothing will.

But there actually is a way to prevent it.

Most ransomware is let in. People are tricked into opening email attachments, spoofed emails, or being careless with their activities online.
It's one of the easiest ways to take over a network or get into a computer. People. People are the weakest link.

Triple back up your stuff, take security seriously, and train your staff to take it seriously, and read a blog post every now and then about new threats and spoofing tricks, and you'll be more prepared than most.

Is there software that can protect you from opening false emails? Where you click the attachment and it prompts "you better investigate this further before opening!"

I tricked myself one time. I had spoken with a company called Global Industrial Products (a legitimate phone call). The next morning I had an email from Global Services (or something like that) and I tried to open the attachment thinking it was the Global I'd spoken with the day before.

How much does Mac usage protect a user?

You got this right "No one is coming to save us."

A local big law firm was ransomwared in 2012. They contacted the FBI - and the FBI said pay the ransom. The had to open a bank account in a neighboring state (no local bank worked with Bitcoin) to pay the ransom.

Great thread.

Is there software that can protect you from opening false emails? Where you click the attachment and it prompts "you better investigate this further before opening!"
Not exactly. I use Gmail, Outlooks and some other encrypted services. Gmail and Outlook will move suspected spam either to a folder, disable links until you approve it, or just auto delete known spam. It can't know every possible threat at all times, so your own diligence and education is still the best defense.

If you have a team or employees, you have to train them and stay on top of it. You should also set standards and rules of what is allowable on company computers, and who can access your network remotely, and have some control over the security of the devices they are using to access it.

It's so easy to infect an employee at home, and they bring it to the work network like patient zero.


I tricked myself one time. I had spoken with a company called Global Industrial Products (a legitimate phone call). The next morning I had an email from Global Services (or something like that) and I tried to open the attachment thinking it was the Global I'd spoken with the day before.


How much does Mac usage protect a user?
It's a false sense of security that macs are less vulnerable. If I'm spear phishing you and I know you have a Mac, then I send you the Mac exploit. Some exploits don't matter. Depends on how you're being targeted or attacked and from where, on what. There are so many ways to exploit a network, it really is dealer's choice.


You got this right "No one is coming to save us."

A local big law firm was ransomwared in 2012. They contacted the FBI - and the FBI said pay the ransom. The had to open a bank account in a neighboring state (no local bank worked with Bitcoin) to pay the ransom.

Great thread.

Yep, it's easy pickens out there right now.

I've seen a case where a hacking was an inside job. A friend of mine is a dealer of bodybuilding supplements and a couple of years ago he got a site running to do e-commerce sales of his merchandise. The site got hacked often right from the start and even though they hired an expert to beef up security, the hacks still continued. Later it was discovered that the guy he'd put in charge of managing the site (one of his employees) was not happy with his job and was doing it to get back at his employer!

I certainly thought like many, that hackers go after value, and that small businesses don't generally offer enough.

What an eye-opener!

I certainly thought like many, that hackers go after value, and that small businesses don't generally offer enough.

What an eye-opener!

The stereotype of who or what a hacker is needs to change too. I blame that mostly on the media and marketing blogs who call everything a "hack" as a buzz word... basically desensitizing everyone to it to just mean some great weight loss trick.

Most people have this picture in their mind of Mr. Robot, or a big building of state sponsored Chinese hackers trying to break into the DOD. A black hat hacker can be anyone with a used laptop, and $50 worth of accessories who is smart enough to learn how to use the software, and most personal, small business or network security is weak enough for that to be enough.

We need to stop thinking of it as some inevitability that we have no control over, and only happens to other people.

It's a break in. It's a theft. If someone kicked in your door and rummaged through your files you'd be outraged, scared, and would be scrambling to find out what they did and what they stole, and for what purposes. So protect against that we put locks on the door, maybe put in a few cameras, are careful with who has the keys, and so on. You don't look at your front door and say "What could I possibly have that a robber wants?' and just shrug your shoulders and walk way leaving it open.

Great advice!

Very interesting read and some good points noted, I guess it would be a lot easier than trying to breach a bigger corp so I can understand why they are going after smaller companys.