Corporate or start up: who’s most at risk?

Joseph Poppy Headshot
Joseph Poppy
Security Blogger
14th December 2018

Big breaches for big targets

2018 is rapidly drawing to a close. The winter chill is setting in and a festive spirit permeates the air. 2019 is hurtling towards us carrying the promise of new challenges and opportunities. However, there’s still a couple of weeks to get a few more massive data breaches in.

From Ticketmaster, Dixons and British Airways to Quora and Reddit, we’ve seen thousands of payment cards compromised and millions of users’ details stolen. Marriott tops the list with a casual half a billion customers’ data compromised. Not only that, it turns out that their database had been compromised since 2014. Perhaps they could have benefited from a quality SIEM. Everyone is at risk of a cyber-attack, but one could be forgiven for thinking that it’s only the major players getting targeted.

New companies are cropping up everywhere. This is partially due to that great enabler called technology. With simple apps that help process payments, manage payroll, orchestrate HR and more, it’s becoming easier and easier for entrepreneurs to make their vision a reality. In March of 2018, it was claimed that a technology firm was set-up in the UK on average once every hour. Clearly then, the SME market is a huge source of potential revenue for malicious actors.

Data breaches
43% of businesses experienced a cyber security breach or attack in the last 12 months.

Recent events do raise the question as to just who is most at risk. Breaking it down by industry will take some doing (though financial institutions often rank highly on that list for obvious reasons), but the start-up vs corporate environment is an intriguing question. Who’s more at risk, the multi-national conglomerate or the start-up company of twelve? The big vs small comparison has many aspects that are worth considering and consider them we shall.

Who’s more at risk, the multi-national conglomerate or the start-up company of twelve?

More to gain but harder to get to

Generally speaking, the hacking community has more to gain from the larger companies. This could be financial gain, through stolen banking data, ransomware or stolen card details for example, or it could be in the sheer amount of data up for grabs. In the case of Quora, Reddit and Marriott, hundreds of millions of users had their data compromised. What this data consists of can vary from company to company, but all will undoubtedly contain email addresses, which can be sold on the dark web. These will likely be used as targets for phishing campaigns or – if more information is known – in identity theft. As it stands, more information usually is known. In the case of Marriott, details included addresses, phone numbers, birth dates, encrypted credit card information and even passport numbers. All this information is valuable to someone.

However, contrary to what the recent string of hacks might suggest, these larger companies will usually have ‘better’ security. Many hold certificates for various compliance standards, which whilst not equating to security, theoretically means they’ll have processes in place to protect data. They also have more money, which means they can invest in better security tech and monitoring. Their environments will have been set up and configured by dedicated infrastructure experts and their apps would have received a thorough pen testing.

What all this means is that hackers will really have to know what they’re doing and be extremely determined to get in. In some respects, this works in larger corporations’ favour, as human beings are naturally lazy. Even when it’s a case of sitting at a computer, people will want to do the least amount of sitting at a computer as possible.

The path of least resistance

On the other side of the cyber coin, smaller companies will tend to have less money, and therefore fewer defences. Their infrastructure may well have been thrown together haphazardly as they started to grow and then maintained by someone who isn’t an expert or someone who’s fulfilling multiple roles. Patching may not be as well managed, and apps might not be as thoroughly tested for security flaws.

This means that it’s theoretically easier to get through their defences. Whilst there may be less to gain, it’ll still be a gain and, as it requires less time and effort to get to, it’s worthwhile. It’ll certainly be worthwhile if the company is processing payment card data. In this respect, smaller businesses may seem like the target of choice. It’s an easy win, even for the less knowledgeable hackers.

Phishing tactics and other social engineering

Phishing is arguably the easiest way of compromising a network. Why go through all the trouble of trying to exploit technical flaws or avoiding firewalls when you can just get a member of staff to let you in? You wouldn’t try and slide down a chimney if someone’s holding the door open for you (unless of course you’re Santa, in which case tradition demands it).

The more people you have in your organisation, the more likely it is that someone is going to open that dodgy attachment or click a malicious link. If everyone’s in the same room and an email drops into a mailbox claiming to have an invoice attached, Jenny could poke her head up and ask, ‘anyone expecting an invoice?’ When the answer is no, it can be deleted, and the sender blocked.

In contrast, larger companies have various different departments working independently, with hundreds of emails firing back and forth. It’s likely that users will think that said attached invoice has something to do with someone else, and the easiest way to find out who is to open it up and see what was ordered. All of a sudden, every file on the network is encrypted with ransomware and, once again, Chaz the intern is getting thrown under the bus.

Phishing tactics
Social engineering doesn't have to be sophisticated

Bulletproof have conducted various red team tests in which we’ve managed to bluff our way into offices and data centres, mostly by exploiting the innate politeness ingrained in the British. This is much easier to do in larger companies. People are less likely to question letting someone they don’t know into the office, because they’re probably just the new starter in customer care. This is next to impossible in small businesses where everyone knows everyone.

So, from a social engineering perspective, it’s larger companies that are more likely to suffer from it. Not that smaller companies don’t of course.

Hacking a smaller business will certainly be worthwhile if the company is processing payment card data.

Cyber Security Training

The best mitigation against social engineering is education. Cyber security training is rapidly becoming an essential part of every company’s security policy and is often a requirement of compliance packages. Regular training sessions can be expensive and the more members of staff you have, the more sessions you’ll have to book, which is why larger companies tend to opt for e-learning modules. These tend take the form of slides followed by a multiple-choice questionnaire. The effectiveness of these is debatable, in that some people think they’re terrible and others think they’re really terrible. The best kind of training consists of engaging and interactive sessions with security experts. Coincidentally, Bulletproof provide these.

Larger companies will have to book more sessions in order train all their staff, but they do have the funds to do so. Whilst smaller companies have a more limited budget, they’ll only need to book a few hours to train all their staff. So, for both big and small, arranging proper training will hardly bankrupt them.

Larger companies are more likely to pay a little extra when booking a penetration test in order to include a social engineering element. Following this, they’ll be able to focus on their problem areas and tighten their procedures. So, from a training perspective, we have a bit of a stalemate between the big and the small. Both are susceptible to social engineering, but to a different extent. We’ll always say larger companies are in the most danger, simply down to the sheer numbers.

Third party apps

I think it’s fair to say, that smaller businesses will tend to rely more on third parties than larger ones. The aforementioned outsourcing of HR payroll and payment processing springs to mind. This helps keep costs down, but also means relinquishing a great deal of control. If the company handling your payroll get’s breached, then by extension you have been breached.

Larger companies tend to do all of this in house, meaning they have full control over their data. However, this also means that if they are breached, they’ve no one to blame but themselves. This is not to say that larger companies are not at the mercy of third parties at all. Many make use of apps, or still choose to outsource payment processing. It’s just – on the whole – they are less at risk than smaller ones.

Third party apps
If your third party processor are exposed, chances are you are too.

SIEM solutions

SIEM solutions with active threat hunting are great for protecting a business. Monitoring log files for suspicious file changes, probing IPs, strange logons and more can help prevent an attack taking place or isolate and resolve a problem before too much damage is done. Unfortunately, there’s no getting around the fact that setting up a robust SIEM can be expensive. Paying trained SOC analysts to manage it is even more so.

This is where many smaller companies are at a disadvantage. Considering the financial and reputational costs a large data breach can incur, companies with enough cash will certainly consider setting up an in-house SIEM. Small companies lack that option.

However, they can still benefit from a quality SIEM if they outsource this responsibility. This gives you access to quality tech and trained analysts at a fraction of the cost.

Data breaches aren’t stopped by big budgets.

...So, who’s more vulnerable?

From typing out the above, it seems the only real conclusion to be made is to reiterate that everyone is at risk. The main difference between the big and small companies is that the former has a bigger budget. But as we have seen throughout this year, data breaches aren’t stopped by big budgets. It’s not about how much you can spend, it’s where and how you spend it.

Training modules that staff vacantly click through offer nothing. Paying for compliance packages, but only following the standards when an audit is coming up is – frankly – a waste of money. Paying for penetration tests, but not including key components in the scope can be disastrous (poor scoping is a pet peeve of our pen testers). Properly scoping your pen test can save you money in the long run.

Take time to analyse your network and ensure the proper segmentation is in place, even if it means getting an external expert in to advise. It might cost initially, but it’ll really help keep your important assets secure.

Analyse your network
Take time to analyse your network

Summing up

You are a target for hackers. Whether you’re the CEO of a start-up or Chaz the intern at a global brand, you’re susceptible to social engineering. If you’ve got one server or a huge, complex network, you need to make sure it’s set up and configured securely and all software is up to date. Spend wisely by working with cyber security experts and take advantage of penetration tests, managed SIEM and interactive cyber security training. You’ll never be 100% secure, but if you do everything right you can get close to it, regardless of your size.

Joseph Poppy Headshot

Meet the author

Joseph Poppy Security Blogger

Joseph is a Communications Executive and Security Blogger who has contributed articles covering a range of topics including staying ahead of cyber threats.

Penetration Testing

Check out our penetration test offers designed to help businesses of all sizes.

Click to learn more

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.