Corporate or start up: who’s most at risk?
Written by Joe Poppy on 14/12/2018
Recent events do raise the question as to just who is most at risk. Breaking it down by industry will take some doing (though financial institutions often rank highly on that list for obvious reasons), but the start-up vs corporate environment is an intriguing question. Who’s more at risk, the multi-national conglomerate or the start-up company of twelve? The big vs small comparison has many aspects that are worth considering and consider them we shall.
More to gain but harder to get to
Generally speaking, the hacking community has more to gain from the larger companies. This could be financial gain, through stolen banking data, ransomware or stolen card details for example, or it could be in the sheer amount of data up for grabs. In the case of Quora, Reddit and Marriott, hundreds of millions of users had their data compromised. What this data consists of can vary from company to company, but all will undoubtedly contain email addresses, which can be sold on the dark web. These will likely be used as targets for phishing campaigns or - if more information is known - in identity theft. As it stands, more information usually is known. In the case of Marriott, details included addresses, phone numbers, birth dates, encrypted credit card information and even passport numbers. All this information is valuable to someone.
However, contrary to what the recent string of hacks might suggest, these larger companies will usually have ‘better’ security. Many hold certificates for various compliance standards, which whilst not equating to security, theoretically means they’ll have processes in place to protect data. They also have more money, which means they can invest in better security tech and monitoring. Their environments will have been set up and configured by dedicated infrastructure experts and their apps would have received a thorough pen testing.
What all this means is that hackers will really have to know what they’re doing and be extremely determined to get in. In some respects, this works in larger corporations’ favour, as human beings are naturally lazy. Even when it’s a case of sitting at a computer, people will want to do the least amount of sitting at a computer as possible.
The path of least resistance
On the other side of the cyber coin, smaller companies will tend to have less money, and therefore fewer defences. Their infrastructure may well have been thrown together haphazardly as they started to grow and then maintained by someone who isn’t an expert or someone who’s fulfilling multiple roles. Patching may not be as well managed, and apps might not be as thoroughly tested for security flaws.
This means that it’s theoretically easier to get through their defences. Whilst there may be less to gain, it’ll still be a gain and, as it requires less time and effort to get to, it’s worthwhile. It’ll certainly be worthwhile if the company is processing payment card data. In this respect, smaller businesses may seem like the target of choice. It’s an easy win, even for the less knowledgeable hackers.
Bulletproof have conducted various red team tests in which we’ve managed to bluff our way into offices and data centres, mostly by exploiting the innate politeness ingrained in the British. This is much easier to do in larger companies. People are less likely to question letting someone they don’t know into the office, because they’re probably just the new starter in customer care. This is next to impossible in small businesses where everyone knows everyone.
So, from a social engineering perspective, it’s larger companies that are more likely to suffer from it. Not that smaller companies don’t of course.
Cyber Security Training
The best mitigation against social engineering is education. Cyber security training is rapidly becoming an essential part of every company’s security policy and is often a requirement of compliance packages. Regular training sessions can be expensive and the more members of staff you have, the more sessions you’ll have to book, which is why larger companies tend to opt for e-learning modules. These tend take the form of slides followed by a multiple-choice questionnaire. The effectiveness of these is debatable, in that some people think they’re terrible and others think they’re really terrible. The best kind of training consists of engaging and interactive sessions with security experts. Coincidentally, Bulletproof provide these.
Larger companies will have to book more sessions in order train all their staff, but they do have the funds to do so. Whilst smaller companies have a more limited budget, they’ll only need to book a few hours to train all their staff. So, for both big and small, arranging proper training will hardly bankrupt them.
Larger companies are more likely to pay a little extra when booking a penetration test in order to include a social engineering element. Following this, they’ll be able to focus on their problem areas and tighten their procedures. So, from a training perspective, we have a bit of a stalemate between the big and the small. Both are susceptible to social engineering, but to a different extent. We’ll always say larger companies are in the most danger, simply down to the sheer numbers.
SIEM solutions with active threat hunting are great for protecting a business. Monitoring log files for suspicious file changes, probing IPs, strange logons and more can help prevent an attack taking place or isolate and resolve a problem before too much damage is done. Unfortunately, there’s no getting around the fact that setting up a robust SIEM can be expensive. Paying trained SOC analysts to manage it is even more so.
This is where many smaller companies are at a disadvantage. Considering the financial and reputational costs a large data breach can incur, companies with enough cash will certainly consider setting up an in-house SIEM. Small companies lack that option.
However, they can still benefit from a quality SIEM if they outsource this responsibility. This gives you access to quality tech and trained analysts at a fraction of the cost.
You are a target for hackers. Whether you’re the CEO of a start-up or Chaz the intern at a global brand, you’re susceptible to social engineering. If you’ve got one server or a huge, complex network, you need to make sure it’s set up and configured securely and all software is up to date. Spend wisely by working with cyber security experts and take advantage of penetration tests, managed SIEM and interactive cyber security training. You’ll never be 100% secure, but if you do everything right you can get close to it, regardless of your size.
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.